LinkedinTryHackme

Detecting Common User/Domain Recon

Key Concepts

  • Active Directory (AD) Domain Reconnaissance: A critical phase in the attack lifecycle where attackers gather information on the AD environment, seeking knowledge about its:

    • Architecture, network topology, and security setup.

    • Key assets, including Domain Controllers, user accounts, groups, trust relationships, OUs, and GPOs.

  • Objective: Identify high-value targets, escalate privileges, and enable lateral movement.

Recon Techniques with Native Windows Commands

Adversaries may execute commands like net group to list Domain Administrators. Common Windows executables used for domain reconnaissance include:

  • whoami /all

  • wmic computersystem get domain

  • net user /domain

  • net group "Domain Admins" /domain

  • arp -a

  • nltest /domain_trusts

Detection: Use PowerShell and command-line monitoring to flag unusual command execution.

Recon with BloodHound/SharpHound

  • BloodHound: Open-source tool for visualizing AD relationships, trust paths, permissions, and group memberships.

  • SharpHound: BloodHound’s C# data collector; commonly run with -c all to gather comprehensive data.

BloodHound Detection Methods

  • LDAP Queries: BloodHound collectors perform many LDAP queries on Domain Controllers.

  • Monitoring Techniques:

    • Event 1644: Windows LDAP performance monitoring, though limited in visibility.

    • ETW Provider (Microsoft-Windows-LDAP-Client): Used with tools like SilkETW and SilkService (supports Yara rule-based query detection).

    • Predefined LDAP Filters: Use filters recommended by Microsoft’s ATP team to recognize common reconnaissance LDAP queries.

Detecting User/Domain Recon with Splunk

Objective: Use Splunk queries to detect common reconnaissance activities in a specific time frame, filtering high-volume noise to focus on suspicious events.

Detecting Recon Using Native Windows Executables

Timeframe: earliest=1690447949 to latest=1690450687

Splunk Query

Query Breakdown

  1. Filter by Index and Source:

    • Logs are pulled from Sysmon’s process creation events (EventID=1) within a specific timeframe.

  2. Process Name Filter:

    • Targets processes typically associated with reconnaissance commands or command-line tools.

  3. Aggregate with Stats:

    • Groups results by parent_process, parent_process_id, dest, and user, collecting unique processes and earliest timestamps.

  4. Filter by Process Count:

    • Flags events where more than three reconnaissance-related processes were run by the same parent process.

Detecting Recon Using BloodHound

Timeframe: earliest=1690195896 to latest=1690285475

Splunk Query

Query Breakdown

  1. Filter by Index and Source:

    • Searches SilkService logs for events within a specified timeframe.

  2. Extract Fields:

    • spath extracts structured fields (e.g., XML data) from Message.

  3. Rename and Table:

    • Renames fields for easier reference and organizes results by key data points.

  4. Filter by LDAP Search Filter:

    • Detects queries containing samAccountType=805306368, often linked to BloodHound’s AD queries.

  5. Statistics Aggregation:

    • Counts events by ComputerName, ProcessName, and ProcessId, checking for instances with over 10 occurrences.

  6. Convert Timestamp:

    • Formats maxTime to human-readable format for timeline analysis.

PreviousDetecting Windows Attacks with SplunkNextQuestion

Last updated